Support

Admin Tools

#26000 IP in Blacklist still showing access

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Thursday, 29 September 2016 17:20 CDT

Tuesday, 30 August 2016 01:05 CDT

user91030
 Hello,

I saw in exception list many users trying to access admin, I add them in Blacklist but still I think they are able to acces,says login failure, means they are able access admin page still,even its in blackist,
Can you check screenshot,

Also I saw many access alerts from 127.0.0.1.

Tuesday, 30 August 2016 01:52 CDT

nicholas
Have you enabled the IP blacklist feature in the WAF Configure page? If you haven't, anything you put in the blacklist is silently ignored.

That said, login failures will always be logged, even for blacklisted addresses. This has to do with the order of operations in Joomla. Roughly speaking, at some point Joomla loads the system plugins including Admin Tools' system plugin. Then it processes login information. And only after that will it run the first event available to system plugins, onAfterInitialize. Admin Tools processes the IP blacklist inside onAfterInitialize. If a failed login attempt occurs before Joomla calls that code you get a login error logged. However, even if the attacker managed to guess the correct username and password Admin Tools' blacklist feature would STILL block them. Even better, the attacker would NOT know that Joomla accepted their username and password because from their point of view they receive no login cookie and no feedback other than Admin Tools blocking them. Therefore you can ignore those entries. There are several dozens of tickets where I have explained that.

Regarding 127.0.0.1, this seems to be a script running on your server screwing up (or a different hacked site on the same server trying to access your site). You can't do much about it. You can always try to block 127.0.0.1 but this means that any CRON jobs you've set up and which try to access your site over HTTP/HTTPS will fail.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 29 September 2016 17:20 CDT

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.
Edited by on 2016-09-29 17:20 CDT

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!